| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Some deployments were expecting specific ports for the OpenStack
services; In case the default ports are not meeting those needs, we
need to provide the means of changing the defaults.
Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
|
|
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
|
|
Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.
This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.
Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
|
|
|
|
|
|
|
|
As for Heat, we need to be able to handle 30X redirects from Horizon
when configured to use SSL. Because Horizon's redirects are
handled directly by Apache, we can't use middleware to handle the
X-Forwarded-Proto header like we are planning to do for the other
services. However, in this case we don't need to worry about
rewriting urls in the payload like we do for the other services
because Horizon is just serving standard web pages, not custom
HTTP bodies with JSON contents.
One other change from the previous Heat patch is to drop the IP
from the rewrite regex. This is because Horizon will generally be
accessed via a DNS name, so the IP won't appear in the Location
header. The heat regex should probably be changed as well since
we now support registering endpoints with DNS names, but since we
plan to move all the other services to the X-Forwarded-Proto header
middleware anyway we can probably just wait until that happens and
then remove the Heat rule entirely.
Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
|
|
|
|
|
|
|
|
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in
ssl_header_handler middlewarefilter so we can run Nova API with SSL
support.
Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
|
|
Change the workflow to be:
Upgrade all packages before any services that is notified & managed by
Puppet.
It also disable the Exec timeout so we rely on Heat timeout and not on
the 300s that are the default in Puppet [1]
Example: we upgrade and OpenStack config will change (obviously).
Puppet catalog will contain 3 important things:
* config resources
* service resources
* package-upgrade Exec resource
with that patch, what will happen:
* puppet will update config first or second and notify
services
* puppet will run package-upgrade first or second but before
the package-upgrade Exec resource
* at the very end, puppet will restart services
That way, we avoid complications with Puppet dependency cycle issues.
[1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout
Closes-Bug: 1536349
Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
|
|
This is useful for handling URLs properly when TLS is enabled.
Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
|
|
Change-Id: Iddf1fdaabc1c758546999e7af7e7412158400e7f
|
|
Change-Id: I3bd836140537fc5b7e3fba600a712d6a9d6f1185
|
|
Change-Id: Id5e119e0949d27a6e3b3f21ecd5e2eb39f1eeb13
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Haproxy is using session persistence[1] for horizon. It is not
correctly configured though. The cookie is not properly set. This add
the necessary code.
[1]: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
Change-Id: Ic9d79475cf84c25fb8146ecbc5f0a45862c106f0
Closes-Bug: 1526786
|
|
Adds configuration for Trove to loadbalancer class.
Partially-implements: blueprint trove-integration
Change-Id: I3cdf43b6d63ad0ee68db047518743c62b6689f56
|
|
Adds configuration for Sahara to loadbalancer class.
Change-Id: I0f0a1dc2eaa57d8226bad8cfb250110296ab9614
Partially-implements: blueprint sahara-integration
|
|
This updates tripleo::packages so that when enable_upgrade
is used it will:
1) upgrade puppet managed packages (will trigger puppet dependencies)
2) then upgrade all packages via exec
3) then restart services
NOTE: the intention here is that the Exec['update-packages'] will
always execute if enable_upgrade is set. It is not idempotent
in this regard because I think we always want to execute it
if enable_upgrade is set.
Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42
Related-bug: #1522943
|
|
Change-Id: Icd666d9988d14ac1e9581f55589bf95243cc7641
|
|
|
|
Switch to locp/cassandra module since it has much more options than
midonet/puppet-cassandra and it is already defined on the
openstack-puppet-modules packages in RHEL. More info:
https://bugzilla.redhat.com/show_bug.cgi?id=1285718
Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b
Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
|
|
|
|
MidoNet API needs to be loadbalanced if the midonet environment is
activated.
Change-Id: I6f1ac659297b8cf6671e11ad23284f8f543568b0
|
|
Unfortunately, some distributions like CentOS 7 (I guess RedHat 7 as
well) still using puppet < 3.7, which experience the annoying 'PUP-1299'
bug:
https://tickets.puppetlabs.com/browse/PUP-1299
So passing a single array element, it magically transforms to a string
(or whatever the inside elements are) and the validate_array fails. We
need to get rid of these validations.
Change-Id: Icc22ee575b7c236d1a6358f8593cf813d339a4b5
|
|
|
|
Change-Id: I3fdb705bbac26b4bc43a18131407a0a86d36a8a5
|
|
One of the ways to make use of TLS in keystone is through the usage of
the X-Fowarded-Proto header, which will be forwarded with the request
by the loadbalancer, and it will tell keystone what protocol was used
to access it. This also requires configuration from the keystone side.
Change-Id: I9b899ba95e28b7dfae0c1ed84ca8431054673925
|
|
Add Gnocchi (OpenStack Metric storage) support in TripleO Loadbalancer config.
Change-Id: Ia991819f57616a9a11bd4dfb77893748130268a0
|
|
|
|
|
|
Add Aodh (Ceilometer Alarming) support in TripleO Loadbalancer config.
Change-Id: I891985da9248a88c6ce2df1dd186881f582605ee
|
|
Provide TripleO overcloud manifests to deploy MidoNet and the cluster
services that needs to run.
Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
|
|
Nova vnc and swift proxy were listening on the same port if SSL is
enabled in the load balancer
Change-Id: Ibf4aa118d6c8e94f8f2a68bf270d5445ebda7593
|
|
|
|
keystone and heat_cfn were listening on the same port if SSL is enabled
inm the load balancer.
Change-Id: I099119198ebf3322a783581f0c6758417e705a2e
|
|
When using websockets in HAProxy, like nova_novncproxy does, we
need to set "timeout tunnel" to avoid disconnections after a short
period without traffic.
Change-Id: I1b66cd9a1d20cbbe35a2ada5782a76a01b14bcd1
Closes-BZ: 1267043
|
|
Current HAproxy config is broken for MySQL timeout parameters.
This is what we have today by default in HAproxy logs:
--------------
[WARNING] 238/115010 (13878) : config : missing timeouts for proxy
'mysql'.
| While not properly invalid, you will certainly encounter various
problems
| with such a configuration. To fix this, please ensure that all
following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
--------------
This patch aims to:
* Use the correct parameters to configure puppetlabs-haproxy
* Update the database timeouts to higher values to prevent the
services from disconnecting too frequently by setting the Galera HAProxy
timeout to 90 minutes.
Change-Id: I06dd4bf81d4f4fd3c01bb681f6f0b3152f2b8eea
|
|
|
|
- s/manila/$manila
Change-Id: I7aaa8f83fe758484ab39af28c914fa3d78464633
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
|
|
This simplifies use of tripleo::packages so that when
enable_upgrade is set to true you no longer have to enable_install
as well.
Change-Id: Ic3050a64530be9e2b6827ed8566f59d28547ae81
|
|
|
Juan Antonio Osorio Robles
Jenkins
Ben Nemec
Emilien Macchi
Giulio Fidente
Sofer Athlan-Guyot
Ethan Gafford
Dan Prince
Jaume Devesa
Javier Pena
Gael Chamoulaud